How to add parameter "max protocol = SMB2" to /etc/samba/smb.conf"?

letarch · May 29, 2017, 6:03pm

NethServer Version: 6.9
Module: I dont know

davidep · May 29, 2017, 6:58pm

What do you want to achieve?

letarch · May 29, 2017, 7:07pm

Just add this string to /etc/samba/smb.conf

davidep · May 29, 2017, 7:12pm

It’s explained in the developer manual…

BTW why do you need that parameter value?

letarch · May 29, 2017, 7:19pm

I want to defence our network from wannacry, sambacry etc

letarch · May 29, 2017, 7:20pm

where is developer manual? I’m not founded it

davidep · May 29, 2017, 7:35pm

Sorry for not having post it before, I was in a hurry

http://docs.nethserver.org/projects/nethserver-devel/en/v6/templates.html#local-site-overrides-templates-custom-and-templates-user-custom

Can you give some details about how that parameter can protect against those threats?

letarch · May 29, 2017, 7:44pm

I read article from http://winitpro.ru/index.php/2017/05/10/otklyuchenie-smb-1-0-v-windows-10-server-2016/. And after it, can’t connect to my shared folders. For fix it I need add this strings.

letarch · May 29, 2017, 7:57pm

After read text from your link, I run this commands:

mkdir -p /etc/e-smith/template-custom/etc/samba/smb.conf/
cp /etc/e-smith/templates/etc/samba/smb.conf/10global /etc/e-smith/template-custom/etc/samba/smb.conf/
add to this file “max protocol = SMB2” and “min protocol = SMB2”
/etc/e-smith/events/nethserver-samba-update/S20nethserver-samba-conf

and nothing… File /etc/samba/smb.conf not contains this strings

davidep · May 29, 2017, 8:10pm

After a template has been changed an event is required:

 signal-event nethserver-samba-update

letarch · May 29, 2017, 8:16pm

signal-event nethserver-samba-update
bash: signal-event: command not found

It’s command for NS 6.9?

alefattorini · May 30, 2017, 9:42am

Yes it is, which version of NethServer do you have?

Stefano_Zamboni · May 30, 2017, 10:10am

are you logged in as root or just as a simple user?

if the latter, if you want to become root, you need to do

su -

otherwise you won’t have the right path in your env

flatspin · May 30, 2017, 11:05am

Did you do a “expand-template /etc/samba/smb.conf”?

BTW: I tried the same on a NS6.9, but after that Win7 Clients had no more access to the shared folder.
Turned back and the access was given again. Please let me know if it worked in your case.

Stefano_Zamboni · May 30, 2017, 11:15am

my 2c: samba is not vulnerable to wannacry ramsonware if you keep it updated…

disabling such features won’t help you, 'cause if a client get the virus and the logged user has write access to samba shares, nothing can help you.

OTOH, disabling such a feature could have some unexpected and undesired effects on your clients and productivity.

the only way to defend yourself is:

keep all the machines uptodated (both server and clients)
have a good AV on server (for mail filtering) and on client too
have a good backup
work on your users’ net awareness… the best AV is the one between 2 ears

letarch · June 6, 2017, 5:37am

ofc, I’m run it as root